Vulnerability Disclosure

Purpose

‍

At BrightShield, we are committed to maintaining the security and privacy of our systems and users. Security researchers and members of the community play a crucial role in helping us improve our security posture. This Vulnerability Disclosure Policy outlines how to responsibly report vulnerabilities to us.

‍

Scope

‍

This policy applies to any digital assets owned, operated, or maintained by BrightShield, including public facing websites.

‍

Reporting a Vulnerability

‍

If you believe you have discovered a security vulnerability in our systems or services, we encourage you to report it to us responsibly. Please email a detailed report to: security@brightshield.io.

‍

Include as much information as possible, such as:

• A description of the vulnerability and its potential impact
• A list of affected systems, URLs, or endpoints
• Steps to reproduce the issue, including any proof-of-concept code or screenshots
• Your contact information (optional, if you'd like updates or acknowledgment)

‍

Our Commitments

‍

If you follow this policy in good faith, we commit to:

• Acknowledging receipt of your report within 1 business day
• Triage your report within 2 working days
• Providing an estimated timeline for addressing the vulnerability
• Not taking legal action against you or reporting you to law enforcement for your disclosure
• Keeping your identity confidential if requested

‍

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

‍

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify our guidance, so please do continue to coordinate public release with us.

‍

Guidance

‍

You must NOT:

• Break any applicable law or regulations.
• Access unnecessary, excessive or significant amounts of data.
• Modify or delete data in BrightShield's systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
• Disrupt BrightShield's services or systems.
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with "best practice", for example missing security headers.
• Social engineer, phish, or physically attack BrightShield staff or infrastructure.
• Demand financial compensation in order to disclose any vulnerabilities.

‍

You must:

• Always comply with data protection laws and must not violate the privacy of any data BrightShield holds. You must not, for example, share, redistribute, or fail to properly secure data retrieved from the systems or services.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.

‍

No Compensation

‍

At this time, BrightShield does not offer monetary rewards or bug bounties for reported vulnerabilities. However, we appreciate your contribution and may offer public acknowledgment at our discretion (with your consent).

‍

Responsible Disclosure

‍

We request that researchers give us a reasonable opportunity to fix the issue before publicly disclosing it. We are committed to working with you to understand and resolve any security issues.

‍

This policy is designed to be compatible with common vulnerability disclosure best practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause BrightShield, our partner organisations, or customers to be in breach of any legal obligations.

‍